It covered data gathered from third-party sources as well as via Facebook’s other apps, including Instagram.

The US firm has said it will appeal.

Specifically, the FCO has ruled that:

Facebook’s various services can continue to collect data, but they cannot combine it with the user’s main Facebook account unless the member gives their voluntary consent

collecting data from third-party websites and assigning it to a Facebook user’s account is likewise only allowed if that member has given the firm permission

The watchdog added that an “obligatory tick on the box” to agree to all the company’s terms was not a sufficient basis for “such intensive data processing”.

The ruling only applies to the firm’s activities in Germany, but is likely to influence other regulators.

Facebook claims the Federal Cartel Office has overstepped the mark by pursuing a data privacy matter that Facebook says falls under the remit of another regulator.

It has one month to challenge the ruling before it becomes legally effective.

If the order is upheld, the company must develop technical solutions to ensure it complies within four months.

Data sharing

The FCO’s justification for the case is that it believes Facebook abused its market dominance to gather the data.

“In future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts,” explained Andreas Mundt, the FCO’s president.

“The combination of data sources substantially contributed to the fact that Facebook was able to build a unique database for each individual user and thus to gain market power.”

The ruling could affect the firm’s use of the Like and Share buttons on external sites, which lets Facebook track each visitor’s internet protocol (IP) address, web browser name and version, and other details that can be used to identify them. This is true, even if users never click on the buttons.

Likewise, the Facebook Login, which lets users avoid having to type in a unique username and password for each service, shares similar device-identifying information.